The HIPAA Security Standard

The HIPAA Security Standard was proposed to ensure confidentiality and integrity of individually identifiable health information that is electronically maintained or transmitted. The proposed rule was published in August of 1998, and the final rules were published in February 2003. The compliance date is April 21, 2005. 45 C.F.R. §164.302. The Security Standard is actually a group of standards (pdf) that can be separated into the following primary categories: (1) Administrative procedures to guard data integrity, confidentiality, and availability; (2) Physical safeguards to guard data integrity, confidentiality and availability; (3) Technical security services to guard data integrity, confidentiality, and availability; (4) Addressable implementation specifications for the security of electronic transmissions of PHI.

Scope of Coverage

The Security Standard will apply to any health plan, healthcare clearinghouse, or healthcare provider that electronically maintains or transmits individually identifiable health information. Electronic transmissions include transactions using all forms of electronic media, even when the information is physically moved from one location to another using magnetic tape, disk or compact disc. Transmissions over the Internet (wide-open), Extranet (using Internet technology to link a business with information only accessible to collaborating parties), leased lines, dial-up lines, and private networks are all included. Telephone voice response and "faxback systems" (a system by which a request for information is made via voice using a fax machine and requested information returned via that same machine as a fax) would not be included. The Security Standard is detailed and contains many requirements concerning the security and integrity of electronic data. The final regulations should be analyzed for implementation by the compliance date.